How to Obscure Any URLHow Spammers And Scammers Hide and ConfuseLast Updated Sunday, 13 January 2002

NOTICE: the IP address of this site has changed of late, and I've been unable to set aside time for the rather large task of revising this page. Its numerous links to the old IP address won't work. It'll be updated soon!

Since this page was first written in 1999, Internet Explorer and Netscape
have both begun dealing with URLs differently, particularly in versions 6 and above.
Some of the examples here will no longer work with those browser versions.

The weird-looking address above takes advantage of several
things many people don't know about the structure of a valid URL.

There's a little more to Internet addressing than commonly
meets the eye; there are conventions which allow for some
interesting variations in how an Internet address is expressed.

These tricks are known to the spammers and scammers, and
they're used freely in unsolicited mails. You'll also see them in
ad-related URLs and occasionally on web pages where the writer
hopes to avoid recognition of a linked address for whatever
reason. Now, I'm making these tricks known to you. Read
on, and you'll soon be very hard to fool.

(Note: Depending on your browser type and its version, some of the
oddly-formatted URLs on this page may not work. Also if you're on a LAN
and using a proxy [gateway] for Internet access, many of them are
unlikely to work. Also, fear not; this page does not exploit the
"Dotless
IP Address" vulnerability of some IE versions.)

First take note of the "@" symbol that appears amid
all those numbers. In actual fact, everything between
"http://" and "@" is completely irrelevant!
Just about anything can go in there and it makes
no difference whatsoever to the final result. Here are two
examples:

If you didn't know better, you might think this page were at
playboy.com!

By the way, the @ symbol can be
represented by its hex code %40 to further
confuse things; this works for the IE browser, but not for Netscape.
(Thanks to The Webskulker
for this.)

All right, so what about that long number after the
"@"? How does 3468664375 get you to www.pc-help.org?

In actual fact, the two are equivalent to one another.
This takes a little explaining so follow me carefully here.

The first thing you need to know (most Net users know this),
is that Internet names translate to numbers called IP addresses.
An IP address is normally seen in "dotted decimal"
format. www.pc-help.org translates to 206.191.158.55.
So of course, this page's address can be expressed as: http://206.191.158.55/obscure.htm.

Numeric IP addresses are generally unrecognizable to people, and not
easily rememberd. That's why we use names for network locations in the
first place.

Merely using an IP address, in its usual dotted-decimal format, in
place of the name is commonly done and can be quite effective at leaving
the human reader in the dark about which website he's visiting.

But there are other ways to express that same number.
The alternate formats are:

"dword" - meaning double word
because it consists essentially of two binary "words" of 16 bits;
but it is expressed in decimal (base 10);

The dword equivalent of 206.191.158.55 is 3468664375. Its octal and
hexadecimal equivalents are also illustrated below.

Why obscure names in the first place? Most often it's because by
publicly-available registration records, the owners of domain names
can often be identified. Even if the owner isn't traceable by that
record, his service provider is. The last thing any scammer or
spammer wants is to be found by his victims, or to have his service
provider alerted to his abuses. Although the use of obscured URLs is
far from their only means of avoiding retribution, it's been a favorite.

It's beginning to make some sense, isn't
it? But what's all that gibberish on the right? Here's how that works:

Individual characters of a URL's path and filename can be represented
by their numbers in hexadecimal form. Each hex number is
preceded by a "%" symbol to identify the following two
numbers/letters as a hexadecimal representation of the character. The
practical use for this is to make it possible to include spaces and
unusual characters in a URL. But it works for all characters and
can render perfectly readable text into a complete hash.

In my example, I have interspersed hex representations with the real
letters of the URL. It simply spells out
"/obscure.htm" in the final analysis:

/ o %62 s %63 ur %65 %2e %68 t %6D
/ o b s c ur e . h t m

The letters used in the hex numbers can be either upper or lower
case. The "slashes" in the address cannot be represented in
hex; nor can the IP address be rendered this particular way. But
everything else can be.

Hex character codes are simply the hexadecimal (base 16) numbers for
the ASCII character set; that is, the number-to-letter representations
which comprise virtually all computer text.

To find the numeric value for an ASCII character, I often use a
little batchfile I wrote for the purpose years ago; and then if I
want the hex equivalent I usually do the math in my head. It just
requires familiarity with the multiples of 16 up to 256.

For most people, the conversion is probably best done with a chart.
The best ASCII-to-hex chart I have ever seen is on the website of Jim
Price: http://www.jimprice.com/jim-asc.htm.
Jim explains the ASCII character set wonderfully well, and provides a
wealth of handy charts.

I can't improve on Jim's excellent work! Print out Jim's
ASCII-to-hex chart and you're in business. If Jim's site ever
disappears, let me know and I'll do a chart of my own.

IP addresses are most commonly written in the dotted-decimal format.
A dotted-decimal IP number normally has 4 numeric segments, each
separated by a period. The numbers must range from 0 to 255.

Translation of a network name to its IP address is usually done in
the background by your network software, invisible to the user. Given a
name, your browser queries a name server, a machine somewhere on
the Net which performs this basic network addressing function; it
thereby obtains the numeric IP address and then uses that address to
direct its requests to the right computer, somewhere out there on the
Net.

There is a standard utility which allows the user to perform
these name server lookups directly and see the results. It's
called NSLOOKUP.

A wide variety of nslookup utilites is available on the Net,
often for free download. Some provide a graphical interface under
Windows, but the original and most basic nslookup is run from a
textual command line. One such command-line utility is included
in my free Network Tracer.
Please download it if you're interested.

Place NSLOOKUP.EXE
in your Windows directory and you can use it from a DOS window. A
simple nslookup query is structured as follows:

nslookup [name or IP address] [name server]

A name server has to be specified if you're using Windows 9x/ME,
either by name or IP address. Find out the address of your ISP's
Primary DNS Server -- it can usually be found in your Dial-Up
Networking setup or in the documents provided for setup of your
Internet connection.

It's a powerful utility; it can find names for known addresses,
addresses for known names, and a variety of other information relevant
to an Internet address. But doing some of the fancier things with
NSLOOKUP is difficult if
you're not already technically savvy. For the technically inclined,
there is a manual; and several examples of
its use can be found in TRACE.BAT, the primary component of my Network Tracer.

If you're determined to avoid the DOS command line, and want a tool
that will do most of the thinking for you, I recommend NetScanTools, a
reasonably-priced network utility toolbox. It's available as a 30-day
shareware demo and a bargain at just $25. NetScanTools is not merely an
address-lookup utility; it can do a great many things. For a Windows
user trying to comprehend the nuts and bolts of the Net, it's a whole
world of discovery.

Normally, the four IP numbers in a standard dotted-decimal address
will all be between 0 and 255. In fact they must translate to an
8-bit binary number (ones and zeroes), which can represent a quantity no
higher than 255.

But the way this number is handled by some software often allows for
a value higher than 255. The program uses only the 8 right-hand digits
of the binary number, and will drop the rest if the number is too large.

This means you can add multiples of 256 to any or all of the 4
segments of an IP address, and it will often still work. In my tests, it
was limited to 3 digits per number; values over 999 didn't work.

I could create a math lesson about this, and tell
you all about bits and bytes and base 16. But it's not really
necessary. Anyone with a Windows system has a handy calculator
that makes it simple to convert decimal numbers to hex, and to
find the dword equivalent of any dotted-decimal IP number. You
should find it by selecting Start ... Programs ... Accessories
... Calculator. It will look like this:

or, in Scientific mode, it looks like this:

I suggest Scientific mode for this
purpose.

Start with an IP address. In this example we'll use 206.191.158.55.
Enter the following keystrokes into the calculator exactly as shown:

206 * 256 + 191 = * 256 + 158 = * 256 + 55 =

The dword equivalent of the IP address will be the
result. In this case, 3468664375.

Now, there is a further step that can make this address even more
obscure. You can add to this dword number, any multiple of the quantity
4294967296 (2564) -- and it will
still work. This is because when the sum is converted to its basic digital
form, the last 8 hexadecimal digits will remain the same. Everything
to the left of those 8 hex digits is discarded by the IP software and
therefore irrelevant.

There now exist a handful of utilities that will do dword (and other)
conversions of IP addresses and URLs. When time permits, I'll be sure
to list them on this page. Meanwhile, there's a handy script on
Matthias Fichtner's website which will quickly convert any IP address to
its dword value and vice-versa: http://www.fichtner.net/tools/ip2dword/.

The PING utility that's in every Windows system can decipher dword
IPs. In fact, it deals with every method of expressing an IP
address that's described on this page. (My thanks to Steven,
who pointed this out on the NTBugTraq list.)

Just open a DOS window and type:

ping [IPAddress]

PING will then do its usual job, in which it contacts the remote
system (if any) at that address and gauges its response times. In the
process, it displays the ordinary dotted-decimal equivalent of the IP
address you entered.

Octal numbers are easily derived with the Windows calculator in
Scientific mode. Enter a decimal number, then select the "Oct" button
at upper left. The octal number will appear. The reverse operation
translates octal to decimal.

You thought that was all? Well, so did I, until one Daniel Dočekal
informed me otherwise. There is yet another obscure way to
express an IP address.

Starting with the method outlined above, you can readily calculate
the hexadecimal number for 206.191.158. 55. In Scientific mode,
calculate the dword value. Then select the Hex button. The resulting
hexadecimal number (CEBF9E37) can be
expressed as an IP address in this manner:
0xCE.0xBF.0x9E.0x37

The "0x" designates each
number as a hex quantity.

The dots can be omitted, and the entire hex number preceded by 0x:
0xCEBF9E37

And, additional arbitrary hex digits can be added to the left of the
"real" number: 0x9A3F0800CEBF9E37

As IP address space becomes more valuable, web hosting services
increasingly use systems that place many websites at one
IP address. The server differentiates between sites by means of the
domain name portion of the URL. Sites on such a server cannot be
addressed using the IP address alone.

Some Notes on Compatibility

I've been getting a lot of feedback about this page from people who
are running various browsers and proxies. So far, reports and my own
rather limited tests seem to indicate that:

hex-coded IPs and values over 255 in dotted-decimal IPs don't
work with Netscape;

most, perhaps all of the dword-coded IPs don't work with some
versions of IE; this could be an effect of the MS patch
for the "dotless IP" exploit.

Later IE versions seem to reject any hex-coded IP that's not
broken up by dots as in my first example above;

Opera 3.60 doesn't allow non-dotted hexadecimal IPs.

Netscape won't allow the following characters in the
authentication text: /?

IE won't allow the following characters in the authentication
text: /\#and it exhibits problems or inconsistencies with: %'"<>

MS-Proxy reportedly rejects almost any IP address that's not in
dotted-decimal IP format, as may some other proxies. Reports
indicate that most proxies handle them all just fine.

If you notice anything more you think I should know about URL formats
or the behavior of some particular software, feel free to drop me a note.